id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32456	Add support for PostgreSQL passfile to dbshell.	Dominik George	Hasan Ramezani	"The dbshell management commands all carry the risk of leaking passwords through process information (as noted in a comment in db.backends.mysql.client). As of Django 3.2, there is the settings_to_cmd_args_env class method, which provides an API to generate the environment needed to call the utility.

Using the environment is somewhat more secure, but the environment of processes can potentially still be read. Both MySQL and PostgreSQL advise against using the respective environment variables.

Specifying [https://www.postgresql.org/docs/current/libpq-pgpass.html a password file] works for connections but `dbshell` doesn't support it, see [https://code.djangoproject.com/ticket/32456#comment:2 comment].

~~I want to propose a way to solve this. I already did this in django-dbbackup, which also happened to construct a command line before:~~

~~https://github.com/django-dbbackup/django-dbbackup/pull/385/commits/222152afe9032e98249cada6d7e200a3eb751e63~~

~~The mechanism is that in addition to the environment and args, a temporary file is generated. For PostgreSQL, this is a file in .pgpass format; for MySQL, it could be an options file. I wrapped that handling in a neat context manager.~~

~~For Django itself, I did a quick shot at PostgreSQL as well, as attached in the patch. The patch is not complete, and is only intended as a base for discussion. If we find consensus about the mechanism, I will happily complete it and extend to the other backends.~~

"	New feature	closed	Database layer (models, ORM)	4.0	Normal	fixed		Florian Apolloner Daniel Bowring Simon Charette	Ready for checkin	1	0	0	0	1	0